1

I have a public hosting server. I want to give access to it only from one specific IP address. Since it's a public hosting I don't have access to its infrastructure or apache configuration. I can create .htaccess file only. Based on that can I create a truly secure firewall to accept request from specified IP address only?

Does this .htaccess setting accomplish this?

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Is it possible to have access from other IP address?

Or maybe someone can make fake requests signed as from xxx.xxx.xxx.xxx client?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Simon
  • 111
  • 4
  • 3
    Please note that this is Apache 2.2 syntax, and you should definitely be using Apache 2.4 – usr-local-ΕΨΗΕΛΩΝ Nov 23 '20 at 19:43
  • As a second layer of defense, you might want to consider using `iptables` to block requests from unwanted ip's on port 80 and/or 443. This will protect you in case of a zero-day vulnerability in apache, as this will block these requests before they even reach apache. – mti2935 Nov 24 '20 at 14:22

2 Answers2

5

If you allow from one IP and deny the rest (once you get the syntax correct), then only the one IP can connect.

Another computer can spoof that IP, but then all traffic would end up going to that IP and not the one trying to connect.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 1
    +1 for 'Another computer can spoof that IP, but then all traffic would end up going to that IP and not the one trying to connect'. In fact, it would not even be possible for the attacker to complete a SSL/TLS handshake with your server using a spoofed ip. – mti2935 Nov 24 '20 at 14:25
2

Code for the current version of Apache (2.4)

Require ip xx.yy.zz.kk
Require all denied

Is it possible to have access from other IP address?

No, unless the source IP gets spoofed by the attacker

Or maybe someone can make fake requests signed as from xxx.xxx.xxx.xxx client?

Unlikely if your "public hosting server" is on a hardened network that will try to prevent blatant attacks

References:

In particular, while a very single packet can be spoofed at no cost, you should both know that 1) it won't likely survive your ISP's first hop, and that 2) it takes fully stealing an IP address class in order to fully establish and maintain a TCP session to a firewalled box. This BGP hijacking is something you can't realistically do home, as you need large control over network and BGP routes. Network providers are aware of this threat and are working on multiple solutions, like authentication, RPKI (RFC 8210) and the BGPSec protocol (RFC 8205), to mitigate.

Conclusion: as for your firewall, it will work as expected and you can rest assured. Further comment: you may also like defense-in-depth and I recommend you to add additional security measures, e.g. strong authentication at application level

usr-local-ΕΨΗΕΛΩΝ
  • 5,361
  • 2
  • 18
  • 35
  • 1
    And in the 2.2 syntax, you should swap deny and allow (first allow, then deny the rest) – usr-local-ΕΨΗΕΛΩΝ Nov 23 '20 at 19:52
  • The router authentication you linked is only protecting the connection with the neighbor router. This doesn't really protect from an evil operator somewhere advertising fake routes with BGP. – Esa Jokinen Nov 24 '20 at 05:36
  • Interesting. And correct from the technical standpoint. I want to state that the OP should rest assured that (unless the obvious government-level attacker) they can sleep safe that *realistically* no one can steal an IP address for continuous use. – usr-local-ΕΨΗΕΛΩΝ Nov 24 '20 at 09:56
  • Yes. That goes a bit far from the original question. It's not a realistic scenario for a typical setup where the risk model is against opportunistic attacks. Some should have access to BGP routing in order to fully use the IP address for twoway communication. However, I would just remove the link to BGP authentication and replace it with a source about the issue, because now it seems you claim the authentication has solved this problem, which it hasn't. – Esa Jokinen Nov 24 '20 at 11:39
  • Okay, my focus was on the fact that network providers are aware of the risk of BGP hijacking, but it's not applicable for an opportunistic attack, and still, network providers are working on hardening their assets from hijacks. I should find source about source ISP preventing IP spoofing, which is something I have been taught at university but I can't find sources at the moment – usr-local-ΕΨΗΕΛΩΝ Nov 24 '20 at 13:11
  • I.e. my `Computer Networks II` teacher said once: "If you attempt to send a forged source IP over your home DSL link, your telco provider will *likely* [emphasis mine] drop your packet as it doesn't match your real subnet" – usr-local-ΕΨΗΕΛΩΝ Nov 24 '20 at 13:13
  • Now it's much better already (+1). I wish RPKI and BGPsec would become more common in the following years. However, *availability* is way too important for the Internet operators and many are not willing to risk it for the favor of *confidentiality* and *integrity*. – Esa Jokinen Nov 24 '20 at 15:13
  • Also, this is such a quality answer the original question doesn't even deserve it! – Esa Jokinen Nov 24 '20 at 15:18
  • The point is that there are two separate questions. One is: "does this code work as a firewall?" and the other is a vast question about the relative security of a firewalling based on IP whitelisting, the answer of which is "Rest assured, because IP stealing is very unlikely for a SOHO appliance, here is why..." – usr-local-ΕΨΗΕΛΩΝ Nov 25 '20 at 10:57